julien.escario
/
acme.sh
forked from Github/acme.sh
1
0
Fork 0
Code Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3151 Commits
7 Branches
0 Tags
6.8 MiB
Tree: d9a9695fe0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd9a9695fe0'
${ noResults }
acme.sh/deploy/panos.sh

143 lines
5.0 KiB
Raw Normal View History

Deploy certificates to Palo Alto Network Firewalls
5 years ago
  1. #!/usr/bin/env sh
  3. # Script to deploy certificates to Palo Alto Networks PANOS via API
  4. # Note PANOS API KEY and IP address needs to be set prior to running.
  5. # The following variables exported from environment will be used.
  6. # If not set then values previously saved in domain.conf file are used.
  7. #
  8. # Firewall admin with superuser and IP address is required.
  9. #
  10. # export PANOS_USER="" # required
  11. # export PANOS_PASS="" # required
  12. # export PANOS_HOST="" # required
  14. # This function is to parse the XML
  15. parse_response() {
  16. status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g')
  17. message=$(echo "$1" | sed 's/^.*<result>\(.*\)<\/result.*/\1/g')
  18. return 0
  19. }
  21. deployer() {
  22. type=$1 # Types are cert, key, commit
  23. _debug "**** Deploying $type *****"
  25. #Generate DEIM
  26. delim="-----MultipartDelimiter$(date "+%s%N")"
  27. nl="\015\012"
  28. #Set Header
  29. _H1="Content-Type: multipart/form-data; boundary=$delim"
  30. if [ $type = 'cert' ]; then
  31. content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")"
  32. fi
  33. if [ $type = 'key' ]; then
  34. #Add key
  35. content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
  36. fi
  37. #Close multipart
  38. content="$content${nl}--$delim--${nl}"
  39. #Convert CRLF
  40. content=$(printf %b "$content")
  42. if [ $type = 'cert' ]; then
  43. panos_url="https://$_panos_host/api/?type=import&category=certificate&certificate-name=$_cdomain&format=pem&key=$_panos_key"
  44. fi
  46. if [ $type = 'key' ]; then
  47. panos_url="https://$_panos_host/api/?type=import&category=private-key&certificate-name=$_cdomain&format=pem&passphrase=none&key=$_panos_key"
  48. fi
  49. if [ $type = 'commit' ]; then
  50. cmd=$(_url_encode "<commit><partial><$_panos_user></$_panos_user></partial></commit>")
  51. panos_url="https://$_panos_host/api/?type=commit&cmd=$cmd&key=$_panos_key"
  52. fi
  54. if [ $type = 'key' ] || [ $type = 'cert' ]; then
  55. response=$(_post "$content" "$panos_url" "" "POST")
  56. else
  57. response=$(_get $panos_url)
  58. fi
  59. _debug panos_url $panos_url
  60. _debug "RESPONSE $response"
  61. parse_response "$response"
  62. _debug "STATUS IS $status"
  63. _debug "MESSAGE IS $message"
  64. # Saving response to variables
  65. response_status=$status
  66. # Check for cert upload error and handle gracefully.
  68. #DEBUG
  69. _debug header "$_H1"
  70. # _debug content "$content"
  71. _debug response_status "$response_status"
  72. if [ "$response_status" = "success" ]; then
  73. _debug "Successfully deployed $type"
  74. return 0
  75. else
  76. _err "Deploy of type $type failed. Try deploying with --debug to troubleshoot."
  77. _debug "$message"
  78. return 1
  79. fi
  80. }
  82. # This is the main function that will call the other functions to deploy everything.
  83. panos_deploy() {
  84. _cdomain="$1"
  85. _ckey="$2"
  86. _cfullchain="$5"
  87. # PANOS HOST is required to make API calls to the PANOS/Panorama
  88. if [ -z "$PANOS_HOST" ]; then
  89. if [ -z "$_panos_host" ]; then
  90. _err "PANOS_HOST not defined."
  91. return 1
  92. fi
  93. else
  94. _debug "PANOS HOST is set. Save to domain conf."
  95. _panos_host="$PANOS_HOST"
  96. _savedomainconf _panos_host "$_panos_host"
  97. fi
  98. # Retrieve stored variables
  99. _panos_user="$(_readaccountconf_mutable PANOS_USER)"
  100. _panos_pass="$(_readaccountconf_mutable PANOS_PASS)"
  101. # PANOS Credentials check
  102. if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ]; then
  103. _debug "PANOS_USER, PANOS_PASS is not defined"
  104. if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ]; then
  105. _err "No user and pass found in storage. If this is the first time deploying please set PANOS_USER and PANOS_PASS in environment variables."
  106. return 1
  107. else
  108. _debug "ok"
  109. fi
  110. else
  111. _debug "Saving environment variables"
  112. # Encrypt and save user
  113. _saveaccountconf_mutable PANOS_USER "$PANOS_USER"
  114. _saveaccountconf_mutable PANOS_PASS "$PANOS_PASS"
  115. _panos_user="$PANOS_USER"
  116. _panos_pass="$PANOS_PASS"
  117. fi
  118. _debug "Let's use username and pass to generate token."
  119. if [ -z "$_panos_user" ] || [ -z "$_panos_pass" ] || [ -z "$_panos_host" ]; then
  120. _err "Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST"
  121. return 1
  122. else
  123. _debug "Getting PANOS KEY"
  124. panos_key_response=$(_get "https://$_panos_host/api/?type=keygen&user=$_panos_user&password=$_panos_pass")
  125. _debug "PANOS KEY FULL RESPONSE $panos_key_response"
  126. status=$(echo "$panos_key_response" | sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g')
  127. _debug "STATUS IS $status"
  128. if [ "$status" = "success" ]; then
  129. panos_key=$(echo "$panos_key_response" | sed 's/^.*\(<key>\)\(.*\)<\/key>.*/\2/g')
  130. _panos_key=$panos_key
  131. else
  132. _err "PANOS Key could not be set. Deploy with --debug to troubleshoot"
  133. return 1
  134. fi
  135. if [ -z "$_panos_host" ] && [ -z "$_panos_key" ] && [ -z "$_panos_user" ]; then
  136. _err "Missing host, apikey, user."
  137. return 1
  138. else
  139. deployer cert
  140. deployer key
  141. deployer commit
  142. fi
  143. fi
  144. }